#20103: Difficult-to-reproduce crash on OpenBSD: tor invoked from Tor Browser 6.0.4 --------------------------+------------------------------ Reporter: attila | Owner: Type: defect | Status: new Priority: High | Milestone: Component: Core Tor/Tor | Version: Tor: 0.2.8.7 Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------+------------------------------
Comment (by attila): After a few more hours of testing and screwing around I've found this is not hard to reproduce at all: 1. start TBB; 2. load a page (I've been using https://blog.torproject.org but I don't think it matters much); 3. wait :-) Under OpenBSD-current/amd64 as of the 5 Sept snap you'll eventually get a crash like the one I dissected above; there's a more recent snap and I'm working on upgrading to it. I now have gdb attached to the last instance of tor that TBB started and am waiting for it to die so I can learn more, but it crashed for me overnight and the tail end of the logs might be interesting to someone who knows more than me (I cranked up logging to debug before having TBB restart tor): {{{ ... Sep 08 15:54:58.000 [debug] relay_lookup_conn(): found conn for stream 23866. Sep 08 15:54:58.000 [debug] circuit_receive_relay_cell(): Sending to origin. Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): Now seen 3005 relay cells here (command 2, stream 23866). Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): circ deliver_window now 966. Sep 08 15:54:58.000 [debug] connection_or_process_cells_from_inbuf(): 24: starting, inbuf_datalen 514 (0 pending in tls object). Sep 08 15:54:58.000 [debug] channel_queue_cell(): Directly handling incoming cell_t 0x7f7fffff4880 for channel 0x477f126c000 (global ID 3) Sep 08 15:54:58.000 [debug] circuit_get_by_circid_channel_impl(): circuit_get_by_circid_channel_impl() returning circuit 0x477f126c800 for circ_id 2778626874, channel ID 3 (0x477f126c000) Sep 08 15:54:58.000 [debug] relay_lookup_conn(): found conn for stream 23866. Sep 08 15:54:58.000 [debug] circuit_receive_relay_cell(): Sending to origin. Sep 08 15:54:58.000 [debug] connection_edge_process_relay_cell(): Now seen 3006 relay cells here (command 3, stream 23866). Sep 08 15:54:58.000 [info] connection_edge_process_relay_cell(): -1: end cell (closed normally) for stream 23866. Removing stream. Sep 08 15:54:58.000 [debug] connection_or_process_cells_from_inbuf(): 24: starting, inbuf_datalen 0 (0 pending in tls object). Sep 08 15:54:58.000 [debug] conn_close_if_marked(): Cleaning up connection (fd - Sep 08 15:54:58.000 [debug] conn_close_if_marked(): Flushed last 2115 bytes from a linked conn; 0 left; flushlen 0; wants-to-flush==0 Sep 08 15:54:58.000 [debug] circuit_detach_stream(): Removing stream 23866 from circ 2778626874 Sep 08 15:54:58.000 [debug] connection_remove(): removing socket -1 (type Socks), n_conns now 8 Sep 08 15:54:58.000 [info] connection_free_(): Freeing linked Socks connection [open] with 0 bytes on inbuf, 0 on outbuf. Sep 08 15:54:58.000 [debug] conn_read_callback(): socket -1 wants to read. Sep 08 15:54:58.000 [debug] fetch_from_buf_http(): headerlen 198, bodylen 612109. Sep 08 15:54:58.000 [debug] connection_dir_client_reached_eof(): Received response from directory server '66.111.2.20:9001': 200 "OK" (purpose: 14) Sep 08 15:54:58.000 [debug] router_new_address_suggestion(): Got X-Your- Address-Is: my.home.ip.address Sep 08 15:54:58.000 [debug] connection_dir_client_reached_eof(): Time on received directory is within tolerance; we are 0 seconds skewed. (That's okay.) Sep 08 15:54:58.000 [info] connection_dir_client_reached_eof(): Received consensus directory (size 1403277) from server '66.111.2.20:9001' Sep 08 15:54:58.000 [info] A consensus needs 5 good signatures from recognized authorities for us to accept it. This one has 8 (dannenberg tor26 longclaw maatuska moria1 dizum gabelmoo Faravahar). }}} This last message is the same message that appeared in the log from the original crash that George called to my attention (which I forgot to mention in the initial ticket, sorry), which ended thus: {{{ Sep 07 09:57:05.000 [debug] connection_dir_client_reached_eof(): Received response from directory server '66.111.2.20:9001': 200 "OK" (purpose: 14) Sep 07 09:57:05.000 [debug] router_new_address_suggestion(): Got X-Your- Address-Is: a.b.c.d Sep 07 09:57:05.000 [debug] connection_dir_client_reached_eof(): Time on received directory is within tolerance; we are -3 seconds skewed. (That's okay.) Sep 07 09:57:05.000 [info] connection_dir_client_reached_eof(): Received consensus directory (size 1401858) from server '66.111.2.20:9001' Sep 07 09:57:05.000 [info] A consensus needs 5 good signatures from recognized authorities for us to accept it. This one has 8 (dannenberg tor26 longclaw maatuska moria1 dizum gabelmoo Faravahar). }}} One more note: since I'm in Mexico I have to use known bridges to get onto Tor. I would like to do something about this in the future, but for now it should be noted that my torrc for TBB looks like this: {{{ # This file was generated by Tor; if you edit it, comments will not be preserved # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it Bridge 66.111.2.16:9001 Bridge 66.111.2.20:9001 DataDirectory /home/attila/TorBrowser-Data/Browser/tor_data HiddenServiceStatistics 0 UseBridges 1 Log debug file /home/attila/tmp/tor-debug.log }}} If anyone wants to play with this you can find packages for the latest OpenBSD-current/amd64 snapshot here temporarily: [https://bits.haqistan.net/~tdp/amd64]. Those are only the packages necessary to install this latest test build of TBB on OpenBSD/amd64. If you're on a fresh -current install you'll need the run dependencies as well. I put a list of them in [https://bits.haqistan.net/~tdp/amd64/full- run-depends.txt] to make it simple. If you were to download all the files in that directory onto your current/amd64 box/vm the following would install them (assuming they are in `.`): {{{ $ doas pkg_add -l full-run-depends.txt -z $ doas pkg_add *.tgz }}} Hopefully my gdb session will kick out a segfault at some point and maybe I can see more. The two logs from crashes I have are rather large but if someone wants them I can put them somewhere. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20103#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs